Holy grail or another false start for identity

Something that is holding up ecommerce and development of serious commercial actiivty online is the matter of identity. There are many proposed solutions but the fact remains that they are disparate and all fail in the sense that you cannot have one identity online and choose which parts to share with those sites you visit.

So at first glance this identity exchange proposed by Paypal, Google and Equifax has merit. the involvement of Equifax is key because they are a repository of personal information which is known in total only to the person.

Finextra verdict It’s what the world’s been waiting for. The creation of a workable federated identity standard will provide a major boost to the digital economy. But let’s not get too excited. Don’t forget, we’ve all been here before.

OIX has been accepted by the US government for access to personal records. This is a step. When we look at the model and the participants, though the first question I have is ‘who are the identity providers. Equifax, Google and Paypal each know something about people, but do each know enough to identify people? I have a Google identity but they have never met me, and cannot associate what they know about me sufficiently to entrust private government records to that identity.

Equifax know a completely different set of data about me. Is that enough in and of itself?

The White Paper recognises the issue and lays out a framework, summarised here as ‘assessor qualifications’.

Assessor qualifications — the professional credentials, experience, and other requirements assessors must fulfill perform certifications

3 Responses

It’s worth pointing out that this is really just the first step down this path, and it take a lot of work to build federated trust models — which are really necessary if we’re ever going to see transactions of any value be carried over OpenID and related technologies.

As for your point about Google not knowing who you are — there are two responses. First, this trust framework really only deals with what’s called “LOA 1″, which is the first of NIST’s four “levels of assurance”:

Therefore if you use your OpenID at LOA-1, your IDP doesn’t need to have verifiable proof that you are whoever you say you are. In fact, they really have no way to know who’s on the other end of the connection — this is essentially self-asserted identity. If I said my name was “Fred”, you’d say, “Nice to meet you Fred” and treat me as though I were a stranger.

The more interesting cases show up in LOA-2, 3, and 4. But this is where it all begins.

Chris … thanks so much for stopping by. The LOA -n point resonates and settles the direction for me actually. I am still working through the white paper, and did not pick up on the significance of the LOA concept, but following your comment here and searching for LOA, now makes sense of it all for me, and goes some way to answering my questions.

As you note, this is where it all begins, and something this large has to begin somewhere.

As a side-note, I am impressed by your steadfast adherence for an open identity model, and seeing Google as part of this partnership makes me appreciate that you are personally moving Google strategy. I commend you for that. That is not inconsequential.